Critical Remote Code Execution (RCE) vulnerabilities in a very popular WordPress plugin have just been made public.
These RCE flaws impact PHP Everywhere, a utility for web developers that allows using PHP code in pages, posts, sidebar, or anywhere with a Gutenberg block – edit blocks in WordPress – on domains using Content Management System (CMS). The plugin is used on more than 30,000 websites.
According to the WordFence Threat Intelligence team, the three PHP Everywhere vulnerabilities all lead to remote code execution in software versions lower than 2.0.3.
Change for administrators who use this plug-in
The first vulnerability is known as CVE-2022-24663 and was assigned a CVSS severity score of 9.9.
WordPress allows authenticated users to run shortcodes through the parse-media-shortcode AJAX action. In this case, if users are logged in – even if they have almost no permissions, for example if they are subscribed – an elaborate query parameter could be sent to execute arbitrary PHP, leading to a complete takeover of the website.
CVE-2022-24664, which also received a severity score of 9.9, is the second RCE vulnerability disclosed by security researchers. This vulnerability was found in the way PHP Everywhere handles metaboxes – slippery edit boxes – and how the software allows any user with the edit_posts capability to use these functions.
“Contributor-level users can use the PHP Everywhere metabox to run code on a site by creating a post, adding PHP code to the PHP Everywhere metabox, and then previewing the post,” says WordFence. “Although this vulnerability has the same CVSS score as the shortcode vulnerability, it is less severe because it requires contributor-level permissions. »
The third vulnerability is tracked as CVE-2022-24665 and also received a severity score of 9.9. All users with edit_posts permissions can use PHP Everywhere’s Gutenberg blocks, and attackers could alter the functionality of a website by executing arbitrary PHP code through these functions.
It was possible to set this function for administrators only, but in software versions lower than 2.0.3 it could not be implemented by default.
WordFence disclosed the vulnerabilities to the plugin’s developer on January 4, who quickly put together a set of fixes. On January 10, a patched version of the plugin, v.3.0.0, was deployed.
Developer Alexander Fuchs says the update caused a “break” due to the necessary removal of some block editor functionality. Users who run into problems – especially if they rely on the classic editor – will therefore also need to upgrade their old code to Gutenberg blocks or find another way to run PHP.
At the time of writing, just over 30% of users have updated, so many websites are still running vulnerable versions of the plugin.